- Resource Group
- Key Vault
- Azure AD Auth
- Azure Container Registry
- Azure App Service
- Azure Container Registry Webhooks
- CORS Configuration
- Grant Key Vault Access
This document will walk through each step of the create.sh script and show the infrastructure that is being created and configured.
. init-variables.sh sets all of the environment variables used throughout the script to refer to the names of the infrastructure being generated. See init-variables.sh.
az group create establishes a resource group to aggregate all of the related Azure services that will be generated by the rest of the script. Isolating capabilities by resource group allows you to easily contain and manage related resources without affecting other cloud infrastructure.
az keyvault create establishes an Azure Key Vault for managing secrets (API keys, connection strings, etc.).
Lines 23 - 168 configure and persist all of the OAuth and OpenIDConnect app registrations and configuration necessary for facilitating Azure AD authorization for the API and SPA App.
Lines 104 - 121 automatically update the API and CLI appsettings with the generated values needed to facilitate AD auth.
App Registration
API Authentication Configuration
API Optional Claims
API Exposure
API App Roles
SPA App Authentication
SPA App API Permissions
For isolated examples of Azure AD integration, see the following:
az acr create creates an Azure Container Registry for hosting generated Docker images.
az acr build generates an image for each of the app projects and pushes them out to the previously generated Azure Container Registry.
az appservice plan create creates an App Service plan for generated Azure App Service instances.
az webapp create generates an Azure App Service for each app project and uses the linked docker image from the container registry.
Deployed Sync Server
Deployed Processor Service
Deployed App API
Deployed SPA App
az webapp log config configures logging for each Azure App Service instance.
az webapp deployment container config enables continous deployment for each Azure App Service instance. Whenever a new image is pushed to Azure Container Registry, the corresponding Azure App Service instance will automatically update itself to the new image instance.
az acr webhook create generates the web hooks needed for Azure Container Registry to push newly received images to their corresponding App Service instance.
az webapp cors add configures CORS on the sync server to allow the SPA to send and receive web socket broadcasts. az resource update directly below enables the Access-Control-Allow-Credentials header.
Line 370 - 395 configures the App API to access the Key Vault.
The Key Vault name is added to the app settings with a VaultName key (az webapp config appsettings set):
The App API creates a Managed Identity (the Azure Services equivalent to a service account) that is used to grant access to the Key Vault (az webapp identity assign):
az keyvault set-policy grants the get list secret permissions to the App API managed identity:
